US20250385780A1

FAST PARALLELIZABLE MULTI-KEY FULLY HOMOMORPHIC ENCRYPTION BASED ON NTRU

Publication

Country:US
Doc Number:20250385780
Kind:A1
Date:2025-12-18

Application

Country:US
Doc Number:19315768
Date:2025-09-01

Classifications

IPC Classifications

H04L9/06H04L9/00H04L9/08

CPC Classifications

H04L9/0618H04L9/008H04L9/0861

Applicants

Jinan University

Inventors

Jian WENG, Zhen HAN, Yuan JI, Zikai SONG, Yuteng WANG, Junzuo LAI, Zhiquan LIU, Ming LI, Bingwen FENG, Jiasi WENG

Abstract

The present application describes a multi-key fully homomorphic encryption (MK-FHE) scheme that enables secure and efficient multi-party computation by integrating learning with errors (LWE), ring learning with errors (RLWE), and NTRU-based encryption primitives. The scheme supports dynamic key management, parallelizable bootstrapping, and low-overhead homomorphic operations. Key innovations include a hybrid product mechanism for merging ciphertexts across cryptographic structures, a single-key blind rotation algorithm optimized for Fourier domain operations, and a noise-refreshing procedure that bounds error growth during homomorphic evaluations. This scheme achieves quasi-linear time complexity relative to the number of participating parties, making it suitable for resource-constrained environments such as federated learning and secure cloud-based AI inference.

Figures

Description

TECHNICAL FIELD

[0001]The present disclosure relates to the field of homomorphic encryption, particularly to a multi-key fully homomorphic encryption (MK-FHE) scheme. The disclosure provides a system and method for secure multi-party computation with parallelizable bootstrapping mechanisms. This enables efficient processing of encrypted data under multiple independent keys while reducing computational and hardware resource requirements.

BACKGROUND

[0002]Fully Homomorphic Encryption (FHE) allows computations on encrypted data without decryption, enabling privacy-preserving applications such as cloud computing, federated learning, and secure artificial intelligence (AI) inference. Traditional FHE schemes assume a single public key for encryption, which limits their applicability in multi-party scenarios where participants use independent keys. Two approaches address this limitation: Threshold FHE and Multi-Key FHE (MK-FHE). Threshold FHE uses a shared public key with distributed secret keys but is restricted to static participant sets, lacking flexibility. MK-FHE, conversely, allows each participant to generate independent key pairs, supporting dynamic participation and joint evaluation of ciphertexts under different keys.

[0003]Prior MK-FHE schemes, such as those by López-Alt et al., demonstrated feasibility but were limited by static keys and bounded participant counts. Later advancements, like those by Peikert and Shiehian, introduced dynamic key support but incurred high computational overhead. NTRU-based MK-FHE schemes, valued for compact ciphertexts, faced vulnerabilities like sublattice attacks, necessitating large moduli that increased resource demands. Recent TFHE-based MK-FHE schemes improved efficiency but relied on large bootstrapping keys, making them impractical for resource-constrained environments, such as edge devices or low-power servers.

[0004]Existing MK-FHE frameworks struggle with inefficient bootstrapping for multi-key ciphertexts, failing to balance security (e.g., avoiding overstretched parameters) and performance. Bootstrapping, a critical process for refreshing ciphertexts to manage noise growth, is computationally intensive in multi-key settings, often requiring significant memory and processing power. These limitations hinder scalability and deployment in real-world applications, particularly those involving dynamic participant sets or constrained hardware.

[0005]There remains an unmet need for an MK-FHE scheme that supports dynamic key inclusion, provides efficient parallelizable bootstrapping, and maintains robust security under standard cryptographic assumptions while minimizing hardware requirements.

SUMMARY

[0006]The present disclosure addresses these challenges by providing a novel MK-FHE scheme based on NTRU, incorporating parallelizable bootstrapping and hybrid ciphertext merging. The present disclosure provides the following schemes.

[0007]
A computer-implemented method for multi-key fully homomorphic encryption, comprising:
    • [0008]generating a unified set of public parameters defining operational moduli and dimensions for learning with errors (LWE), ring learning with errors (RLWE), and NTRU-based encryption schemes;
    • [0009]producing, for each participant in a plurality of participants, independent cryptographic keys comprising a secret key pair for encryption and decryption operations, and a hybrid product key enabling merging of ciphertexts across LWE and RLWE structures;
    • [0010]transforming plaintext data into an initial encrypted form under a participant's secret key, yielding a participant-specific ciphertext compatible with LWE structures;
    • [0011]aggregating participant-specific ciphertexts from the plurality of participants to form a composite ciphertext operable under multiple keys;
    • [0012]conducting homomorphic evaluation of a logical operation on at least two composite ciphertexts, incorporating a noise-refreshing procedure that: integrates single-element LWE-based encrypted structures with multi-element RLWE-based encrypted structures through a gadget decomposition and tensor product-based multiplication process to generate an updated composite ciphertext; and
    • [0013]recovering the evaluated plaintext from the updated composite ciphertext by collaboratively applying the secret keys of all relevant participants.

[0014]Preferably, the step of generating a unified set of public parameters defining operational moduli and dimensions for LWE, RLWE, and NTRU comprises specifying an integer modulus q for LWE operations and a polynomial ring modulus Q for RLWE and NTRU operations; specifying a vector dimension n for LWE secrets and a polynomial ring dimension N for RLWE/NTRU secrets; and specifying noise distributions, gadget decomposition bases, and error bounds for all three encryption schemes.

[0015]Preferably, the secret key pair comprises an LWE secret vector

siqn

and an

[0016]RLWE secret key zi ∈ RQ; the hybrid product key is generated by sampling random elements ri←χσβ and noise vector

ei,0𝒳σβdhp,

computing

di,0=ri·a+fi·𝔤+ei,0RQdhp,

computing

di,2=-zi·di,1+ri·𝔤+ei,1RQdhp,

and outputting a product key pair (di,1, di,2), a ciphertext merging key set is NKSK={nkski}0≤i≤d−1, where

nkski=NTRUf,Q(Bi).

[0017]Preferably, the step of transforming plaintext data into an initial encrypted form under a participant's secret key comprises sampling a random vector

aiqn

and noise term e from a distribution χσ, computing a ciphertext component

b=-ai,si+q4m+e,

and outputting the ciphertext as a pair

(b,ai)q×qn,

wherein si is the participant's LWE secret key.

[0018]Preferably, aggregating participant-specific ciphertexts from a plurality of participants by: receiving single-party LWE ciphertexts

cj=(bj,aj)qn+1

for 1≤j≤k, where each cj is encrypted under a distinct participant's secret key; computing a joint offset term

bsum= j=1kbjq,

concatenating ciphertext vectors to form

ajoint=(a1, ,ak)qkn;

outputting a composite ciphertext

ct_=(bsum,ajoint)qkn+1;

wherein the composite ciphertext is operable under a combination of all participants' secret keys for homomorphic evaluation or decryption.

[0019]Preferably, the noise-refreshing procedure during homomorphic evaluation comprises: computing decomposed components for each index j from 0 to d−1:vj=c⊙nkskj, constructing a gadget vector v=(v0, v1, . . . , vd−1), computing

cj=𝔤-1(cj)·v mod Q

and forming intermediate ciphertext

cˆ=(c0,c1, ,ck),

applying HybridProduct to ê using public keys {bj}j∈[k].

[0020]Preferably, recovering the evaluated plaintext comprises: computing an inner product between the updated composite ciphertext

ct_=( j=1kbj,a1, ,ak)qkn+1

and the aggregated secret key vector (1, s), where s=(s1, . . . sk) is the concatenation of all participants' secret keys, scaling and discretizing the result to recover a plaintext bit

m=2q(ct¯,(1,s¯)){0,1}.

[0021]Preferably, the noise-refreshing procedure comprises: initializing an accumulator ACC, executing blind rotation BREval in a Fourier domain, and merging ciphertexts via HybridProduct with noise variance bounded by: σ2≤k·dhp·N2·Vhp·σβ2, where k denotes the number of participants, dhp denotes gadget decomposition dimension, N denotes ring dimension of RLWE/NTRU (RQ=ZQ[X]/(XN+1)), Vhp denotes variance bound of gadget base B, σβ2 denotes variance of RLWE noise distribution.

[0022]Preferably, the blind rotation algorithm BREval comprises: scaling coefficients

ai=2Nqai,

initializing ACC=Xa0⊙evk0, iteratively updating

ACC[g+(Xai-1)·evki]

for 1≤i≤n−1.

[0023]Preferably, the noise-refreshing procedure executes in quasi-linear time relative to the number of parties k.

[0024]Preferably, the noise-refreshing procedure further comprises a ModSwitch operation comprising: receiving a multi-key LWE ciphertext

c=(c0, ,ckn)Qkn+1,

applying randomized rounding to each component: [x]q:Q=└qx/Q┘+B, and outputting a refreshed ciphertext

c=([ci]q:Q)0iknqkn+1.

[0025]Preferably, the noise-refreshing procedure further comprises a KeySwitch operation comprising: receiving a multi-key LWE ciphertext

ct_=(b,a1, ,ak)qkn+1,

for each participant j, 1≤j≤k, computing

(bj,aj)= i=0N-1𝔤-1(ai,j)·lsksj,

then outputting a transformed ciphertext

ct_=(b+ i=1kbi,a1, ,ak).

[0026]
According to another aspect of the present disclosure, a computing system configured for multi-key fully homomorphic encryption, comprises:
    • [0027]a central node configured to produce and disseminate a unified set of public parameters for LWE, RLWE, and NTRU-based encryption schemes; and
    • [0028]a plurality of participant nodes, each configured to: generate cryptographic keys including a secret key and a hybrid product key for ciphertext merging; convert plaintext data into a participant-specific ciphertext; contribute to aggregating participant-specific ciphertexts into a composite ciphertext; participate in homomorphic evaluation via a noise-refreshing procedure that integrates LWE and RLWE structures through gadget decomposition and tensor product-based multiplication; wherein the noise-refreshing procedure applies a Fourier transform-based rotation operation in a frequency domain.

[0029]Preferably, each participant node executes the noise-refreshing procedure by: performing tensor product-based multiplication with decomposition and vector assembly to bound error growth.

[0030]Preferably, the central node distributes parameters defining a noise distribution χ and gadget base B.

[0031]Preferably, each participant node performs the tensor product-based multiplication by constructing a vector v=(v0, . . . , v_ {d−1}) via linear combinations of decomposed ciphertext components.

[0032]According to another aspect of the present disclosure, a non-transitory computer-readable storage medium storing instructions, when executed by one or more processors, cause the processors to perform the methods described above.

[0033]
The core structure of the present disclosure includes:
    • [0034]1. Cryptographic Primitives: Utilizes Learning With Errors (LWE), Ring Learning With Errors (RLWE), and NTRU-based GSW-like encryption to construct a secure foundation for multi-key operations.
    • [0035]2. Single-Key Blind Rotation: Employs a blind rotation algorithm operating in the Fourier domain to manipulate encrypted data efficiently, reducing computational overhead.
    • [0036]3. Hybrid Ciphertext Merging: Combines scalar NTRU ciphertexts with multi-key RLWE ciphertexts via a hybrid product mechanism, optimizing noise management and compatibility.
    • [0037]4. Parallelizable Multi-Key Bootstrapping: Implements a bootstrapping algorithm that refreshes ciphertexts under multiple keys in parallel, significantly reducing computational time.
    • [0038]5. Core MK-FHE Algorithms: Includes Setup, KeyGen, Enc, Dec, and NAND operations, enabling dynamic key inclusion and evaluation of arbitrary circuits with quasi-linear time complexity.

[0039]The present disclosure has the following technical advantages. The disclosure leverages gadget decomposition and NTRU-based encryption to minimize noise growth during computations. The parallelizable bootstrapping algorithm reduces time complexity to quasi-linear in the number of parties, enabling faster processing compared to prior MK-FHE schemes that scale poorly with participant count. By optimizing ciphertext sizes through NTRU's compact structure and minimizing bootstrapping key sizes via blind rotation in the Fourier domain, the disclosure reduces memory and processing demands. This enables deployment on resource-constrained devices, such as edge devices or low-power servers, without sacrificing security. The scheme supports on-the-fly key addition, allowing new parties to join computations without reconfiguring the system, enhancing flexibility for applications like federated learning. Built on standard cryptographic assumptions (e.g., decisional KDM-form NTRU problem), the scheme avoids vulnerabilities like sublattice attacks by using carefully selected parameters, ensuring security without requiring oversized moduli.

BRIEF DESCRIPTION OF THE DRAWINGS

[0040]FIG. 1 is a flowchart of the overall MK-FHE (Multi-Key Fully Homomorphic Encryption) process according to an embodiment of the present disclosure. It starts with the setup phase (MKHE.Setup) that calls sub-procedures for LWE, RLWE, and NTRU setup to generate public parameters. Then, it proceeds to key generation (MKHE.KeyGen) where LWE and RLWE secret keys are sampled, product keys and keyswitching keys are generated, and the keys are published. The encryption step (MKHE.Enc) samples random parameters and outputs an LWE ciphertext. The expansion step (MKHE.Expand) converts the LWE ciphertext to a multi-key ciphertext (MK-LWE). The NAND gate evaluation (MKHE.NAND) takes two MK-LWE ciphertexts, evaluates the NAND gate, and refreshes the result via multi-key bootstrapping. Finally, the decryption step (MKHE.Dec) uses the MK-LWE ciphertext and the secret key to compute the plaintext.

[0041]FIG. 2 illustrates a process involving multiple BREval (Blind Rotation Evaluation) operations and a subsequent merge. Each BREval block (two are shown, indexed 1 and k) processes a sequence of operations (brk1,0 to brk1.n−1 and brkk,0 to brkk,n−1) and produces an output (ACC′1 and ACC′k). These outputs are then merged (Merge) into an accumulator (ACC), which is then processed to form an MK-RLWE ciphertext and finally transformed into an MK-LWE ciphertext.

[0042]FIG. 3 shows the detailed steps of the NAND gate operation in a multi-key FHE scheme. Two MK-LWE ciphertexts (each in

Qn+1

are input to a NAND gate. The output of the NAND is an MK-LWE ciphertext (in

Qkn+1).

This ciphertext then undergoes accumulator operations (ACC operations) to become an MK-RLWE ciphertext (in

RQk+1).

The MK-RLWE is then processed by a “Merge+Extract” step to form an MK-LWE ciphertext in

QkN+1.

This is then processed by Key Switch to another MK-LWE ciphertext in

Qkn+1.

Finally, Mod Switen is applied to output the last MK-LWE ciphertext in

qkn+1.

[0043]FIG. 4 is a schematic diagram of a computing system according to an embodiment of the present disclosure.

DETAILED DESCRIPTION OF THE EMBODIMENTS

[0044]The present disclosure enables secure multi-party computation by performing homomorphic operations on encrypted data under multiple independent keys, with a parallelizable noise-refreshing procedure that leverages Fourier transform-based rotation, gadget decomposition, and tensor product-based multiplication. The description details of some embodiments of the method's steps, the system's architecture, and the hardware configuration required for implementation, emphasizing efficiency improvements and suitability for resource-constrained environments.

[0045]The following detailed description, in conjunction with the accompanying drawings, elaborates the MK-FHE scheme based on NTRU, focusing on its technical implementation and improvements over prior art. The scheme integrates cryptographic primitives such as LWE, RLWE, and NTRU-based GSW-like encryption, with a focus on parallelizable bootstrapping to enable efficient multi-party computations. Some embodiments of the detailed algorithms are described below, incorporating specific operational steps, noise management techniques, and references to the illustrative figures.

[0046]A fast parallelizable multi-key fully homomorphic encryption based on NTRU according to some embodiments of the present disclosure is described below. The MK-FHE scheme includes cryptographic primitives, bootstrapping mechanisms, and core algorithms.Setup: Generates public parameters for LWE, RLWE, and NTRU.KeyGen: Each party generates LWE/RLWE/NTRU keys, plus evaluation keys for bootstrapping. Enc: Encrypts a bit into an LWE ciphertext using the party's secret key. Expand: Combines single-party LWE ciphertexts into a multi-key LWE ciphertext. Dec: Decrypts a multi-key ciphertext using all participants secret keys. NAND: Evaluates a NAND gate on two multi-key ciphertexts and refreshes via bootstrapping.

[0047]The server generates public parameters for LWE, RLWE and NTRU, taking the security parameter λ, and returns a public parameter set pp. In particular, generate the parameter ppLWE=(n, χ, σα, B, d, q), generate the parameter ppRLWE=(N, χ, σβ, B, d, a, Q), and generate the parameter ppNTRU=(N, χ, σe, B, d, Q). Finally, return the generated public parameters ppMKHE=(ppLWE, ppRLWE, ppNTRU).

[0048]Each party generates LWE/RLWE/NTRU keys, plus evaluation keys for bootstrapping. Specifically, each party samples an LWE secret key

si=(si,0, ,si,n-1)qn,

a PLWE secret key zi ∈ RQ, and a noice vector

ei𝒳σβd

and compute

bi=-a·zi+eiRQd.

[0049]Generate the product key for NKSK product MK-RLWE: Firstly, using a RLWE secret key zj ∈ RQ and a NTRU secret key fi ∈RQ of party i. Sample ri←ωσβ and a noise vector

ei,0𝒳σβdhp,

output the vector

di,0=ri·a+fi·𝔤+ei,0RQdhp.

Sample

di,1RQdhp

and a noise vector

ei,1𝒳σβdhp,

compute

di,2=-zi·di,1+ri·𝔤+ei,1RQdhp

and output(di,1,di,2).

[0050]
Using a NTRU secret key f and gadget base B, the algorithm first leverages NTRU-related operations (consistent with the KDM—form NTRU framework where RQ=custom-characterQ[X]/(XN+1), R=custom-character[X]/(XN+1), key distribution χs, noise distribution χe, etc.) to compute a set of ciphertexts. Then,

nkski=NTRUf,Q(Bi)

and return NKSK={nkski}0≤i≤d−1.

[0051]The evaluation key for Single-key blind rotation uses a secret key

s=(s0, ,sn-1)qn

for the first-layer LWE encryption, and a secret key ƒ ∈ RQ (aligning with the NTRU setup where fis sampled from the key distribution χs over R and projected to RQ for the second-layer NTRU-based GSW-like encryption. When computing a set of ciphertexts:

evk0=NTRUQ,f(s0/f),evki=NTRUQ,f(si)

for 1≤i≤n, with these NTRU encryption operations adhering to the KDM-form NTRU assumption's mathematical space (i.e., within the ring RQ and using distributions χs, χe to ensure hardness properties as per the decisional KDM-form NTRUN,Q,χs,χe problem, where distinguishing the constructed ciphertext distributions from random ones in RQ is computationally hard for PPT algorithms.

[0052]
Generate the MK-LWE keyswitch key. Use two LWE secret key z=(z0, . . . , zN−1) ∈ custom-characterN and s=(s0, . . . , sn−1) ∈ custom-charactern, sample

Aiqd×n

and noise

eiχσd

for 0≤i≤N−1, then compute

bi=-Ai·s+ei+zi·𝔤qd

and output the keyswitch key lksk={(bi, Ai)}0≤j≤N−1.

[0053]After key Generation, Each party Publish(bi, hpki, NKSKi, EVKi, lkski).

[0054]Each party encrypts a bit into an LWE ciphertext using the party's secret key. Using a plaintext m ∈ {0,1}, party i sample

aiqn,eχσ

to output a LWE ciphertext

ci=(-ai,si+q4m+e,ai)q×qn.

[0055]Each party Combines single-party LWE ciphertexts into a multi-key LWE ciphertext. Given

cj=(bj,aj)qn+1

for 1≤j≤k, return the MK-LWE ciphertext

ct_=(j=1kbj,a1, ,ak)qkn+1.

[0056]Evaluates a NAND gate on two multi-key ciphertexts and refreshes via bootstrapping. This algorithm operates on a Multi-key LWE ciphertext

ct_qkn+1.

First, it initializes ACC as

(-Q8·X2Nqb·-N2<i<N2Xi,0)RQk+1.

Then, for j from 1 to k, it invokes the BREval algorithm.

[0057]BREval((b, a),EVK) works as follows: First, iterate over i from 0 to n−1, and in each iteration, set

ai=2Nqai.

Then, initialize ACC as ACC=Xa0⊙evk0. Next, iterate over i from 1 to n−1, and in each iteration, update ACC as

ACC[g+(Xai-1)·evki].

Finally, return ACC.

[0058]After that, for j from 1 to k again, the Merge algorithm is used to update ACC. The Merge algorithm functions as follows: It first iterates j from 0 to d−1, computing vj=c⊙nkskj.

[0059]Then, it constructs v=(v0, v1, . . . , vd−1). Next, for j from 0 to k, it computes

cj=𝔤-1(cj)·vmodQ,

forms

cˆ=(c0,c1, ,ck),

and finally computes c via HybridProduct(ĉ,hpki,{bj}j∈[k]) and returns ĉ.

[0060]It constructs v=(v0, v1, . . . , vd−1). Next, for j from 0 to k, it computes

cj=𝔤-1(cj)·v mod Q,

forms

cˆ=(c0,c1, ,ck).

To compute c, given the MK-RLWE ciphertext

cˆ=(, ,)RQk+1),

hpki=(di,0, di,1, di,2) of party i, and public keys {bj}j∈[k] associated with ĉ: first, for 0≤j≤k, compute (uj=custom-characterg−1(custom-character), di,0custom-character); then compute

v= j=0k𝔤-1(cJ^),bj;

next, construct the MK-RLWE ciphertext

c¯=(c0,c1, ,ck)RQk+1 where (c0=u0+(𝔤-1(v),di,1),ci=ui+(𝔤-1(v),di,2,and cj=uj for j[k]{i}.

This c satisfies custom-characterc, zcustom-character=θ·custom-characterĉ, zcustom-character+e′ with the variance of the noise term e′, denoted

σhp2,

satisfying

σhp2kdhpN2Vhpσβ2.

Finally, it returns ĉ.

[0061]Next, ACC is updated by adding

(Q8,0).

Subsequently, ct′ is obtained by applying Extract(ACC) to get an element in

QkN+1.

[0062]Then, the KeySwitch algorithm is performed. The KeySwitch (ct′, {lsksj}j∈[k]) works as follows: Given a MK-LWE ciphertext

ct_=(b,a1, ,ak)qkn+1 where aj=(a0,j, ,an-1,j)qn

and a set of key-switch keys {lsksj}j∈[k]. For 1≤j≤k, it computes

(bj,aj)= i=0N-1𝔤-1(ai,j)·lsksj.

[0063]Then it outputs the ciphertext

ct_=(b+ i=1kbi,a1, ,ak).

after Extract, KeySwitch is performed on ct′ with {lsksj}j∈[k] to get an element in

Qkn+1.

[0064]Finally, the ModSwitch algorithm is applied. The ModSwitch(c) algorithm: Given a MK-LWE ciphertext

c=(c0, ,ckn)Qkn+1,

using the randomized rounding function [·]q:Q:custom-characterQcustom-character defined as [x]q:Q=└qx/Q┘+B, it outputs the ciphertext

c=([ci]q:Q)0iknqkn+1.

After KeySwitch, ModSwitch is applied to ct′ to obtain the result in

qkn+1.

[0065]Decrypts a multi-key ciphertext using all participants' secret keys. Given a MK-LWE ciphertext

ct_=( j=1kbj,a1, ,ak)qkn+1

and secret key s=(s1, . . . . sk), compute

m=2q(ct_,(1,s¯)){0,1}.

[0066]The principle of the technical schemes is further detailed below.

[0067]
The LWE Assumption: Let n,q be positive integers, and let χ be a distribution over custom-character. The decisional LWEn,q,χ problem is to distinguish the following two distributions: In the first distribution, one samples (a, b) uniformly from

qn×.

In the second distribution, one first samples

aqn

uniformly and then draws a noise term e←χ, outputting (a, b=a·s+e), where s is drawn from some key distribution over custom-character.

[0068]The decisional LWEn,q,χ assumption says that it is hard for any PPT algorithms to solve decisional LWEn,q,χ with non-negligible advantage over a random guess.

[0069]
The RLWE Assumption: Let N, Q be positive integers, and let RQ=custom-characterQ[X]/(XN+1). Let R=∩[X]/(XN+1) and χ be a distribution over R. The decisional RLWEN,Q,χ problem is to distinguish the following two distributions: In the first distribution, one samples (a, b) uniformly from RQ×RQ. In the second distribution, one first samples a←RQ uniformly and then draws a noise term e←χ, outputting (a, b=a·s+e), where s is drawn from some key distribution over R.

[0070]The decisional RLWEN,Q,χ assumption says that it is hard for any PPT algorithms to solve decisional RLWEN,Q,χ with non-negligible advantage over a random guess.

[0071]
The NTRU Assumption: Let N, Q, d be positive integers, and let RQ=custom-characterQ[X]/(XN+1) and R=custom-character[X]/(XN+1). Let χs and χe be the key and noise distributions over R, respectively. The decisional NTRUN,Q,χs,χe problem is to distinguish the following two distributions:

-{(g0/f, ,gd-1/f)|fχs,g0, ,gd-1χe}, -{(u1, ,ud)|u1, ,udRQ}.

[0072]The decisional NTRU assumption (in the vector form) says that it is hard for any PPT algorithms to solve decisional NTRUN,Q,χs,χe with non-negligible advantage over a random guess.

[0073]
The KDM-form NTRU Assumption: For positive integers N, Q, let RQ=custom-characterQ[X]/(XN+1) and R=custom-character[X]/(XN+1). Let χs and χe be the key and noise distributions over R, respectively. For an arbitrarily chosen m ∈ RQ and integers B, d, the decisional KDM-form NTRUN,Qχs,χe problem is to distinguish the following two distributions:

-{((g0+B0·m)/f, ,(gd-1+Bd-1·m)/f)|fχs,g0, ,gd-1χe}, -{(u1, ,ud)|u1, ,udRQ}.

[0074]The decisional KDM-form NTRUN,Q,χs,χe assumption says that it is hard for any PPT algorithms to solve decisional KDM-form NTRUN,Qχs,χe with non-negligible advantage over a random guess.

Gadget Decomposition

[0075]
For integers q and B, set d=┌logBq┐, the gadget vector custom-characterq,B is define as

[B0, ,Bd-1]qd.

When q and B are clear from the context, we write custom-character.
[0076]
For any a ∈ custom-characterq, its gadget decomposition result in base B is define as custom-character−1(a)=(a0, . . . , al−1) for each integer

ai(-B2,B2]

such that tor i ∈ [l]. It is easy to see that custom-character−1(a)·g=a. For any ƒ ∈ RQ, we define

𝔤-1(f):= i=0N-1𝔤-1(fi)Xi.

It is clear that

𝔤-1(f)·𝔤=i=0N-1𝔤-1(fi)·𝔤·Xi=i=0N-1fi·Xi=f

[0077]
The gadget decomposition function custom-character−1, which maps a ring element into its digit representation with respect to a fixed gadget basis, can be implemented in either a deterministic or a randomized manner. In this disclosure, we adopt the deterministic variant, as it provides consistent outputs and simplifies correctness analysis in subsequent cryptographic constructions.

NTRU-Based GSW-Like Encryption

[0078]Building upon the concept of gadget decomposition described in the previous subsection, we now turn to an encryption scheme that leverages this structure in a homomorphic setting.

[0079]Definition 1 (scalar NTRU ciphertexts). Our scalar NTRU encryption of u ∈ RQ under a secret keyf ∈ RQ (that is invertible in RQ) is defined as:

NTRUQ, f(u)=g/f+u/fRQ

where both f, g ∈ RQ are polynomials with small coefficients, which are usually taken from a ternary distribution in practice. Note that we don't multiple Δ to u in scalar NTRU encaryption different from [XZD+23](g/ƒ+Δ·u/ƒ), which is important for us to ensure the correctness of multi-key bootstrapping.

[0080]
Definition 2 (vector NTRU ciphertexts). Let custom-character=(B0, B1, . . . , Bd−1) be a gadget vertor, our vector NTRU encryption of v ∈ RQ under a secret key f ∈ RQ (that is invertible in RQ) is defined as:

NTRUQ, f(v)=g/f+v·𝔤RQd

where g are noise vector with small coefficients, and d=┌logBQ┐. The external product ⊙:

RQ×RQdRQ

between scalar NTRU ciphertexts c=NTRUQf(u) and vector NTRU ciphertexts

c=NTRUQ, f(v)

is define as:

NTRUQ, f(u)NTRUQ, f(v)=𝔤-1(c)·c

[0081]Lemma 3: External Product. Let c=NTRUQ,f(u) ∈RQ with noise variance Var(g), and

c=NTRUQ, f(v)RQd

with noise variance Var(g′). We have that ĉ=custom-character−1(c)·c=ĝ/f+u·v/f is a scalar NTRU ciphertexts for uv, and the variance of ĝ satisfies:

Var(gˆ)dNVBVar(g)+"\[LeftBracketingBar]"v"\[RightBracketingBar]"22·Var(g)

where VB denotes the variance of custom-character−1(a) for every a ∈ RQ. In particular, if v is a monomial with binary coefficient, then we have

Var(gˆ)dNVBVar(g)+Var(g).

[0082]The NTRU-based GSW-like encryption framework offers a compact and efficient mechanism for encoding both scalar and vector messages in a homomorphic context. Its carefully bounded noise growth, especially under external product operations, is critical for enabling deeper circuit evaluations without compromising correctness. This structure forms the cryptographic backbone of our blind rotation mechanism. In the next section, we leverage these components to construct a single-key blind rotation procedure, which serves as the foundational layer of our full multi-key bootstrapping pipeline.

Multi-key Fully Homomorphic Encryption

[0083]
A multi-key fully homomorphic encryption (MK-FHE) scheme is composed of five probabilistic PPT algorithms: Setup, KeyGen, Enc, Dec, and NAND.
    • [0084]Setup (1λ): Takes the security parameter λ, and returns a public parameter set pp.
    • [0085]KeyGen (pp): Outputs a public key pk and secret key sk. Generates and outputs a public/secret key pair (pk, sk).
    • [0086]Enc (m, pk): On input of a bit m ∈ {0,1} and public key pk, outputs a ciphertext ct ∈ {0,1}*. Each ciphertext is assumed to carry metadata indicating the identities of associated parties.
    • [0087]Dec (ct, {ski}i∈[k]): Given a ciphertext ct and a set of secret keys {ski}i∈[k] corresponding to the involved users, returns a decrypted bit m ∈ {0,1}.
    • [0088]NAND (ct1, ct2, {pki}i∈[k]): On input of two ciphertexts ct1 and ct2, along with the public keys pki of k participating parties (those associated with either input ciphertext), performs a NAND operation and outputs a new ciphertext. ct encoding the result. The output ciphertext implicitly contains the indices of the relevant users.

[0089]We adopt an extended form of (R)LWE-based encryption adapted for multi-key scenarios.

[0090]
In the LWE case, for a message m ∈ Zt and k secret keys s1, . . . , sk custom-charactern, define

ct_=(b,a1, ,ak)qkn+1 and s¯=(s1, ,sk)qkn.

If the following holds:

ct_,(1,s_)=qt·m+eq,

then ct is said to be a MK-LWE ciphertext encrypting m under the concatenated secret key s, with error term e.

[0091]In the RLWE case, for a message μ∈Rq and secre−keys z1, . . . , zk ∈ R, define

c¯=(c0, ,ck)RQk+1 and z¯=(1,z1, ,zk)RQk+1.

If

c¯,z¯=μ+eRQ,

then c is a MK-RLWE ciphertext representing encryption of μ under the combined secret key z, with noise e′.

Multi-key Bootstrapping Supporting Parallelization

[0092]In the previous section, we introduced the fundamental building blocks of our construction, including multi-key FHE, gadget decomposition, and NTRU-based GSW-like encryption. With these tools in place, we now present our complete bootstrapping framework that supports multi-party computation and parallel homomorphic evaluation.

[0093]This chapter details the design of our multi-key bootstrapping procedure. We begin by describing a single-key blind rotation algorithm, which serves as the basis for manipulating encrypted data in the Fourier domain. We then extend this to the multi-key setting through ciphertext merging and transformation operations. Finally, we integrate all components into a unified multi-key bootstrapping algorithm that enables ciphertext refresh under multiple keys without compromising correctness or efficiency.

Single-key Blind Rotation

[0094]We design the single-key blind rotation algorithm to output a NTRU encrytion of

X2Nq i=0n-1aisi.

[0095]BRKGen(s,f): Given a secret key

s=(s0, ,sn-1)qn

for the first-layer LWE encryption, and a secret key θ ∈ RQ for the second-layer NTRU-based GSWlike encryption, the algorithm first computes a set of ciphertexts:

evk0=NTRUQ,f(s0/f),evki=NTRUQ,f(si) for 1i<n.

[0096]Then, the algorithm outputs EVK=(evk0, . . . , evkn) as the evaluation key for blind rotation.

[0097]BREval ((b, a), EVK): Given an LWE-based ciphertext

LWEq,s(m)=(b,a)qn×q,

and an evaluation key EVK at inputs, computes and returns ACC as described in algorithm 1. The algorithm output a NTRU encrytion of

X2Nq i=0n-1aisi.

Algorithm 1 BREval((b, a), EVK)
Input:
<maths id="MATH-US-00097" num="00097"><math overflow="scroll"><mrow><mrow><mi>An</mi><mo>⁢</mo><mtext> </mtext><mi>LWE</mi><mo>⁢</mo><mtext> </mtext><mi>ciphertext</mi><mo>⁢</mo><mtext> </mtext><mrow><msub><mi>LWE</mi><mrow><mi>s</mi><mo>,</mo><mi>q</mi></mrow></msub><mo>(</mo><mi>m</mi><mo>)</mo></mrow></mrow><mo>=</mo><mrow><mrow><mo>(</mo><mrow><mi>b</mi><mo>,</mo><mrow><mi>a</mi><mo>=</mo><mrow><mo>(</mo><mrow><msub><mi>a</mi><mn>0</mn></msub><mo>,</mo><mo>…</mo><mtext> </mtext><mo>,</mo><msub><mi>a</mi><mrow><mi>n</mi><mo>-</mo><mn>1</mn></mrow></msub></mrow><mo>)</mo></mrow></mrow></mrow><mo>)</mo></mrow><mo>∈</mo><msubsup><mi>ℤ</mi><mi>Q</mi><mrow><mi>n</mi><mo>+</mo><mn>1</mn></mrow></msubsup></mrow></mrow></math></maths>
An evaluation key EVK = (evk0, ... , evkn)
Output:
<maths id="MATH-US-00098" num="00098"><math overflow="scroll"><mrow><mi>A</mi><mo>⁢</mo><mtext> </mtext><mi>NTRU</mi><mo>⁢</mo><mtext> </mtext><mi>ciphertext</mi><mo>⁢</mo><mtext> </mtext><mrow><msub><mi>NTRU</mi><mrow><mi>Q</mi><mo>,</mo><mi>f</mi></mrow></msub><mo>(</mo><msup><mi>X</mi><mrow><mfrac><mrow><mn>2</mn><mo>⁢</mo><mi>N</mi></mrow><mi>q</mi></mfrac><mo>⁢</mo><msubsup><mrow><mo>∑</mo><mtext> </mtext></mrow><mrow><mi>i</mi><mo>=</mo><mn>0</mn></mrow><mrow><mi>n</mi><mo>-</mo><mn>1</mn></mrow></msubsup><mo>⁢</mo><msub><mi>a</mi><mi>i</mi></msub><mo>⁢</mo><msub><mi>s</mi><mi>i</mi></msub></mrow></msup><mo>)</mo></mrow></mrow></math></maths>
1. for i = 0 to n − 1 do
2.  <maths id="MATH-US-00099" num="00099"><math overflow="scroll"><mrow><msubsup><mi>a</mi><mi>i</mi><mo>′</mo></msubsup><mo>=</mo><mrow><mfrac><mrow><mn>2</mn><mo>⁢</mo><mi>N</mi></mrow><mi>q</mi></mfrac><mo>⁢</mo><msub><mi>a</mi><mi>i</mi></msub></mrow></mrow></math></maths>
3. end for
4.  <maths id="MATH-US-00100" num="00100"><math overflow="scroll"><mrow><mi>ACC</mi><mo>←</mo><mrow><msup><mi>X</mi><msubsup><mi>a</mi><mi>o</mi><mo>′</mo></msubsup></msup><mo>⊙</mo><msub><mi>evk</mi><mn>0</mn></msub></mrow></mrow></math></maths>
5. for i = 1 to n − 1 do
6.  <maths id="MATH-US-00101" num="00101"><math overflow="scroll"><mrow><mi>ACC</mi><mo>←</mo><mrow><mi>ACC</mi><mo>⊙</mo><mrow><mo>[</mo><mrow><mi>𝔤</mi><mo>+</mo><mrow><mrow><mo>(</mo><mrow><msup><mi>X</mi><msubsup><mi>a</mi><mi>i</mi><mo>′</mo></msubsup></msup><mo>-</mo><mn>1</mn></mrow><mo>)</mo></mrow><mo>·</mo><msub><mi>evk</mi><mi>i</mi></msub></mrow></mrow><mo>]</mo></mrow></mrow></mrow></math></maths>
7. end for
8. return ACC

[0098]Lemma 4 (Single-key Blind Rotation): Let LWE-based ciphertext

LWEq,s(m)=(b,a)qn×q

under secret key s

qn,where a=(a0, ,an-1)qn.

Let N be a power of 2 and q|N. Let f ∈ RQ be a polynomial that is invertible in RQ. Then for any EVK=BRKGen(s,f), we have that

BREval((b,a),EVK)=NTRU (X2Nq i=0n-1aisi)=gˆ/f+X2Nq i=0n-1aisi/f.

[0099]The variance of ĝ satisfies

Var(gˆ)(2n-1)dNVBσe2,where σe2

is the noise variance for the second-layer NTRU encrytion. We denote

σBR2

as the variance of ĝ. We denote

σe2

be the noise variance for the evki for 0≤i≤n−1. In line 4 of Algorithm 1, We have the value of ACC equals

Xa0evk0=Xa0NTRUQ,f(s0/f)=NTRUQ,f(Xa0s0)

with noise variance

dNVBσe2

by Lemma 3. In line 6, it is easy to see that

𝔤+(Xai-1)·

evki=NTRUQ,f(Xaisi)

with noise variance bounded by

"\[LeftBracketingBar]"Xai-1"\[RightBracketingBar]"22·σe22σe2.

[0100]Let ci be the value of ACC after evaluating the i-th loop in line 5-7, we have

ci=ACC[𝔤+(Xai-1)·evki]=NTRUQ,f(X j=0i=1ajsj)\omathrmNTRUQ,f(Xaisi)=NTRUQ,f(X j=0iajsj).

[0101]Based on Lemma 3, the increased noise of each iteration has variance dNVB·2σe. After the loop from line 5 to 7, the output ciphertext ACC equals

NTRU(X2Nq i=0n-1aisi)

with variance bounded by

dNVBσe2+(n-1)dNVB·2σe2=(2n-1)dNVBσe2.

Merge NTRU Ciphertext into MK-RLWE Ciphertext

[0102]To support homomorphic multiplication in the multi-key setting, we introduce a new operation that merges a scalar NTRU ciphertext with a multi-key RLWE ciphertext. This operation is crucial for enabling key-consistent evaluations across ciphertexts encrypted under different keys.

[0103]We define a two-step multiplication process. First, we outline the construction of the HybridProduct and the associated noise key-switching keys (nksk), which form the foundation for our ciphertext merging mechanism. These components will be integrated into our overall bootstrapping procedure to ensure correct and efficient message multiplication.

[0104]HPKGen(zii): Given a RLWE secret key zi ∈ RQ and a NTRU secret key θi ∈ RQ of party i, it generates and returns the hpki=(di,0, di,1, di,2) as follows:

[0105]Sample ri←χσβ and a noise vector

ei,0χσβdhp,

output the vector

di,0=ri·a+fi·𝔤+ei,0RQdhp.

[0106]Sample

di,1RQdhp

and a noise vector

ei,1χσβdhp,

compute

di,2=-zi·di,1+ri·𝔤+ei,1RQdhp

and output(di,1,di,2)

[0107]HybridProduct (c, hpki, {bj}j∈[k]): Given an MK-RLWE ciphertext

c_=(c0, ,ck)RQk+1,hpki=(di,0,di,1,di,2)

of party i and the public keys {bj}j∈[k] of parties associated with c, return an MK-RLWE ciphertext c′ as follows: for 0≤j≤k compute

uj=𝔤-1(cj),di,0.

[0108]Then compute

v= j=0k𝔤-1(cj),bj,

return an MK-RLWE ciphertext

c_=(c0,c1, ,ck)RQk+1,

where

c0=u0+𝔤-1(v),di,1,ci=ui+𝔤-1(v),di,2,cj=uj for[k]i.

[0109]The output ciphertext c′ satisfies:

c¯,z¯=f·c¯,z_+e.

[0110]Let

σhp2

denotes the vanance or me noise term e′, we have

σhp2kdhpN2Vhpσβ2.

Algorithm 2 Merge(c, <o ostyle="single">c</o>, NKSKi, hpki, {bj}j∈[k])
Input:
A scalar NTRU ciphertext (NTRUf<sub2>i</sub2>,Q(m) = c ∈ RQ)
Product Key (NKSKi = {nkskj}0≤j≤d-1, hpki, {bj}j∈[k])
Output:
1. for j = 0 to d − 1 do
2.  vj = c ⊙ nkskj
3. end for
4. v = (v0, v1, .... , vd−1)
5. for j = 0 to k do
6.  cj′ = g−1 (cj) · v (mod Q)
7. end for
8.   <maths id="MATH-US-00131" num="00131"><math overflow="scroll"><mrow><mover accent="true"><mi>c</mi><mi>ˆ</mi></mover><mo>=</mo><mrow><mo>(</mo><mrow><msubsup><mi>c</mi><mn>0</mn><mo>′</mo></msubsup><mo>,</mo><msubsup><mi>c</mi><mn>1</mn><mo>′</mo></msubsup><mo>,</mo><mo>…</mo><mtext> </mtext><mo>,</mo><msubsup><mi>c</mi><mi>k</mi><mo>′</mo></msubsup></mrow><mo>)</mo></mrow></mrow></math></maths>
9.  <o ostyle="single">c′</o> ← HybridProduct (ĉ, hpki, {bj}j∈[k])
10. return ĉ

[0111]NKSKGen(ƒ,B): Given a NTRU secret key ƒ and gadget base B, the algorithm compute a set of ciphertexts

nkski=NTRUf,Q(Bi)RQd

for 0≤i≤d−1 and return NKSK={nkski}0≤i≤d−1.

[0112]Correctness of Algorithm 2: We show that if NTRUθi, Q(m)=c is a scalar NTRU ciphertext that encrypts m under secret key ƒi and c=(c0, c1, . . . , ck) is a MK-RLWE ciphertext that encrypts uunder secret key z=(z0, z1, . . . , zk), then the output ciphertext c′ is a MK-RLWE ciphertext that encrypts m·μ.

[0113]The algorithm first compute vi for (0≤i≤d−1) in line 1-2, we have

(vj=cnkskj=NTRUfi,Q(m)NTRUfi,Q(Bi)=NTRUfi,Q(m·Bj)).

Then in line 4, we have

v=(v0,v1, ,vd-1)=(g0fi+B0·mfi, ,gd-1fi+Bd-1·mfi)=gfi+m·𝔤fiRQd

where

g=(g0, ,gd-1)RQd and {gj}j[d]

are noise polynomials with small coefficients. Then the algorithm compute

(cj=𝔤-1(cj)·v(mod Q)=𝔤-1(cj)·gfi+cj·mfi)

for 0≤j≤d−1) Let

cˆ=(c0,c1, ,ck),

we have that

cˆ=(c0,c1, ,ck)=(𝔤-1(c0)·gfi+c0·mfi, ,𝔤-1(ck)·gfi+ck·mfi)RQk+1.

[0114]After HybridProduct in line 9, we finally have the output ciphertext c′ satisfies that

c¯,z¯fi·cˆ,z¯=fi·cˆ,z¯m·c¯,z¯=m·c¯,z¯m·μ.

[0115]So c′ is a MK-RLWE ciphertext that encrypts m·μ.

Lemma 5 (Merge)

[0116]
Let NTRUƒi,Q(m)=c be a scalar NTRU ciphertext that encrypts m under secret key ƒi. Let c=(c0, c1, . . . , ck) be a MK-RLWE ciphertext under secret key z=(z0, z1, . . . , zk). The output ciphertext c′ of Algorithm 2 is a MK-RLWE ciphertext such that custom-characterc′, zcustom-character=m·custom-characterc, zcustom-character+e′ for some noise term e′ ∈ RQ. Let

σpd2

be the variance of noise term e′, we have that

σpd2(1+kN/2)(d2N2VB2σe2+dNVBVar(g))+kdhpN2Vhpσβ2.

where

Var(g),σe2

are the noise vanance of c and the noise variance of nksk, respectively.

[0117]By definition, we have c=g/ƒi+m/ƒi=NTRUƒi,Q(m) ∈ RQ with noise polynomial g, and

nkskj=NTRUf,Q(Bj)RQd

with noise variance

σe2.

The algorithm first compute vj for (0≤j≤d−1) in line 1-2, we have that

vj=cnkskj=NTRUfi,Q(m)NTRUfi,Q(Bi)=gjfi+Bj·mfi

where

Var(gj)dNVBσe2+Var(g)

by lemma 3.

[0118]Then in line 4, we have

v=(v0,v1, ,vd-1)=(g0fi+B0·mfi, ,gd-1fi+Bd-1·mfi)=gfi+m·𝔤fi RQd

where

g=(g0, ,gd-1) RQd.

Then the algorithm compute

cj=𝔤-1(cj)·v(mod Q)=𝔤-1(cj)·g/fi+cj·m/fi) for (0jd-1).

[0119]Let

cˆ=(c0,c1, ,ck),

we have that

cˆ=(c0,c1, ,ck)=(𝔤-1(c0)·gfi+c0·mfi, ,𝔤-1(ck)·gfi+ck·mfi) RQk+1.

[0120]
Let ĝ=(custom-character−1(c0)·g′, . . . , custom-character−1(ck)·g′),the variance Var(ĝ) of ĝ satisfies

Var(gˆ)=dNVBVar(g)d2N2VB2σe2+dNVBVar(g).

[0121]Let e″ be the noise introduced by the HybridProduct with variance

Var(e)kdhpN2Vhpσβ2.

[0122]After HybridProduct in line 9, we finally have the output ciphertext c′ satisfies that

c¯,z¯=ficˆ,z¯+e=(gˆ+c¯·m),z¯+e=gˆ,z¯+m·c¯,z¯+e=m·c¯,z¯+e

where e′=custom-characterĝ,zcustom-character+e″. We denote

σpd2

as the variance of e′, it is bounded by

σpad2=(1+kN/2)Var(g˜)+Var(e)(1+KN/2)(d2N2VB2σe2+dNVBVar(g))+kdhpN2Vhpσβ2.

The Multi-key Bootstrapping Algorithm

[0123]We first define the LWE-based Multi-key modswitch and multi-key keyswitch that will used in Multi-key Bootstrapping as follows.

[0124]
LKSKGen (z,s): Given two LWE secret key z=(z0, . . . , zN−1) ∈custom-characterN and s=(s0, . . . , sN−1) ∈\custom-charactern, sample

Aiqd×n

and noise

eiχσαd

for 0≤i≤N−1, then compute

bi=-Ai·s+ei+zi·𝔤 Zqd.

and output the key-swithch key lksk={(bi,Ai)}0≤j≤N−1.

[0125]KeySwitch(ct,{lkskj}j∈[k]): Given a MK-LWE ciphertext

ct¯=(b,a1, ,ak) Zqkn+1 for aj=(a0,j, ,an-1,j) qn,

and a set of key-switch key {lkskj}j∈[k]. For 1≤j≤k, the algorithm compute

(bj,aj)=i=0N-1 fg-1(ai,j)·lkskj.

[0126]Then output the ciphertext

ct_=(b+ i=1 kb,a1, ,ak).

[0127]Lemma 6 (Key Switching for MK-LWE): Let

ct_=(b,a1, ,ak)qkN+1

be a MK-LWE ciphertext encrypting m under secret key

(1,z_)ZqkN+1,

and ${lkskj=LKSKGen(zj,sj)}j∈[k]$ be a set of key-swithcing key. The output ciphertext

ct_=KeySwitch(ct_,{lkskj}j[k])qkn+1

is a ciphertext that encrypts m under secret key

(1,s_)Zqkn+1.

Moreover, the increased noise e′ has variance

σks2kdNVksσα2.

[0128]At the last step of our Multi-key bootstrapping, we will need to switch the modulus of an MK-LWE ciphertext, we define the ModSwitch algorithm using randomized rounding function.

[0129]ModSwitch(c): Given a MK-LWE ciphertext

c=(c0, ,ckn)ZQkn+1,

using the randomized rounding function [·]Q:q: custom-characterQcustom-characterq defined as [x]Q:q=└qx/Q┘+B, output the ciphertext

c=([ci]Q:q)0i<knqkn+1

where B ∈ {0,1} is a Bernoulli random variable with Pr{B=1}=(qx/Q)−└qx/Q┘ ∈ [0,1).

[0130]Lemma 7 (ModSwitch for MK-LWE): Let

cQkn+1

is a MK-LWE ciphertext of μ with noise e. Then c′=ModSwitch(c) is a MK-LWE ciphertext of μ in

Zqkn+1.

Moreover, the noise e′ of c′ has variance

Var(e)q2Q2Var(e)+σMS2.

Algorithm 2 Multi-key Bootstrapping
Input:
Product Key(({NKSKj}, {hpkj}, {bj})j∈[k])
Evaluation key {EVKj} = {(evk0,j, ... , evkn,j)}j∈[k]
LWE key-switching key{lkskj}j∈[k]
Output:
1.  <maths id="MATH-US-00175" num="00175"><math overflow="scroll"><mrow><mrow><mrow><mrow><mrow><mrow><mrow><mi>ACC</mi><mo>←</mo><mrow><mo>(</mo><mrow><mo>-</mo><mrow><mo>⌊</mo><mfrac><mi>Q</mi><mn>8</mn></mfrac></mrow></mrow></mrow></mrow><mo>⌉</mo></mrow><mo>·</mo><msup><mi>X</mi><mrow><mfrac><mrow><mn>2</mn><mo>⁢</mo><mi>N</mi></mrow><mi>q</mi></mfrac><mo>⁢</mo><mi>b</mi></mrow></msup><mo>·</mo><msub><mrow><mo>∑</mo><mtext> </mtext></mrow><mrow><mfrac><mi>N</mi><mn>2</mn></mfrac><mo>&lt;</mo><mi>i</mi><mo>&lt;</mo><mfrac><mi>N</mi><mn>2</mn></mfrac></mrow></msub></mrow><mo>⁢</mo><msup><mi>X</mi><mi>i</mi></msup></mrow><mo>,</mo><mn>0</mn></mrow><mo>)</mo></mrow><mo>∈</mo><msubsup><mi>R</mi><mi>Q</mi><mrow><mi>k</mi><mo>+</mo><mn>1</mn></mrow></msubsup></mrow></math></maths>
2. for j = 1 to k do
3. ACCj′ ← BREval((b, aj), EVKj)
4. end for
5. For j = 1 to k do
6. ACC ← Merge(ACC, ACCj′, NKSKj, hpkj, {bj}j∈[k])
7. end for
8.  <maths id="MATH-US-00176" num="00176"><math overflow="scroll"><mrow><mrow><mrow><mrow><mi>ACC</mi><mo>←</mo><mrow><mi>ACC</mi><mo>+</mo><mrow><mo>(</mo><mrow><mo>⌊</mo><mfrac><mi>Q</mi><mn>8</mn></mfrac></mrow></mrow></mrow></mrow><mo>⌉</mo></mrow><mo>,</mo><mn>0</mn></mrow><mo>)</mo></mrow></math></maths>
9.  <maths id="MATH-US-00177" num="00177"><math overflow="scroll"><mrow><mrow><msup><mover><mi>ct</mi><mo>_</mo></mover><mo>′</mo></msup><mo>←</mo><mrow><mi>Extract</mi><mo>(</mo><mi>ACC</mi><mo>)</mo></mrow></mrow><mo>∈</mo><msubsup><mi>ℤ</mi><mi>Q</mi><mrow><mrow><mi>k</mi><mo>⁢</mo><mi>N</mi></mrow><mo>+</mo><mn>1</mn></mrow></msubsup></mrow></math></maths>
10.  <maths id="MATH-US-00178" num="00178"><math overflow="scroll"><mrow><mrow><msup><mover><mi>ct</mi><mo>_</mo></mover><mo>′</mo></msup><mo>←</mo><mrow><mi>KeySwitch</mi><mo>(</mo><mrow><msup><mover><mi>ct</mi><mo>_</mo></mover><mo>′</mo></msup><mo>,</mo><msub><mrow><mo>{</mo><msub><mi>lksk</mi><mi>j</mi></msub><mo>}</mo></mrow><mrow><mi>j</mi><mo>∈</mo><mrow><mo>[</mo><mi>k</mi><mo>]</mo></mrow></mrow></msub></mrow><mo>)</mo></mrow></mrow><mo>∈</mo><msubsup><mi>ℤ</mi><mi>Q</mi><mrow><mrow><mi>k</mi><mo>⁢</mo><mi>n</mi></mrow><mo>+</mo><mn>1</mn></mrow></msubsup></mrow></math></maths>
11.  <maths id="MATH-US-00179" num="00179"><math overflow="scroll"><mrow><mrow><msup><mover><mi>ct</mi><mo>_</mo></mover><mo>′</mo></msup><mo>←</mo><mrow><mi>ModSwitch</mi><mo>(</mo><msup><mover><mi>ct</mi><mo>_</mo></mover><mo>′</mo></msup><mo>)</mo></mrow></mrow><mo>∈</mo><msubsup><mi>ℤ</mi><mi>q</mi><mrow><mrow><mi>k</mi><mo>⁢</mo><mi>n</mi></mrow><mo>+</mo><mn>1</mn></mrow></msubsup></mrow></math></maths>

Correctness of Algorithm 3

[0131]
Let custom-character for 1≤j≤k be the value of

ACCj

in line 3, and

aj=(a0,j, ,an-1,j)qn,sj=(s0,j, ,sn-1,j)qn

for the LWE public key and LWE secret key of party j, by the correctness of single-key blind rotaion we have

=NTRUQ,f(X2Nq i=0 n-1ai,jsi,j)=NTRUQ,f(X2Nqaj,sj).

[0132]Then the algorithm mulitple scalar NTRU ciphertext

ACCj

to the MK-RLWE ciphertext ACC for 1≤j≤k. Let ĉ be the value of ACC after iteration in line 7, we have

c^,z_Q8·X2Nqb·XN2·i=0N-1Xi·X2Nqj=1kaj, sj=Q8·-N2<i<N2Xi·X2Nq(b+j=1kaj, sj).

[0133]Let

R(X)=-N2<i<N2Xi·X2Nq(b+j=1kaj, sj).

Because

b+ j=1kaj,sj=c¯t,(1,s¯)q2m,

if m=0, the constant term of R(X) is approximately equal to 1; otherwise, if m=1 it is approximately equal to −1. Therefore, the constant term of custom-characterĉ, zcustom-character approximately equal to

$ Q4 m-Q8.

In line 8 the algorithm add

(Q8,0)

to ACC, so the value of ACC is a MK-RLWE encrytion that the constant trem of plaintext is

Q4 m.

[0134]After that the algorithm extract a MK-LWE ciphertext

ct_QkN+1,

which satisfies

ct_,(1,z_)Q4 m.

Then the MKSwitch switch the secret key from z to s. Finally after ModSwitch the alogrithm return a the refreshed MK-LWE ciphertext

ct_qkn+1.

Lemma 8 (Multi-key Boostrapping)

[0135]Let

ct_=(b,a1, ,ak)Zqkn+1

be a MK-LWE ciphertext encryping a plaintext m under secret key (1,s). The output ciphertext ct′ of Algorithm 3 is an refreshed MK-LWE ciphertext encryping the same plaintext $m$. In addition, the noise e of refreshed ciphertext has variance

Var(e)q2Q2(kσpd2+σks2)+σMS2

where

σpd2,σlks2,σMS2

are ine noise variances contributed respectively by the product, the keyswitch, and the modswitch in Algorithm 3.

[0136]
Initially, the algorithm set ACC as the trivial MK-RLWE encryption with no noise. Let custom-character for 1≤j≤k be the value of ACC′j in line 3. By lemma 4 we have that the noise custom-character of custom-character has variance

Var(e^j)=σBR2(2n+1)dNVBσe2.

[0137]Then after multiplying ACC′j to ACC k times (line 5-7), by lemma 5 we have that the noise variance of ACC is bounded by kσpd2, we have

kσpd2k(1+kN/2)(d2N2VB2σe2+dkNVBσBR2)+k2dhpN2Vhpσβ2=(2+kN/2+2n)(kd2N2VB2σe2)+k2dhpN2Vhpσβ2.

[0138]By a trivial Extract in line 9, we get an MK-LWE ciphertext ct′ without increasing the noise variance. After KeySwitch in line 10, by lemma 6 we have that the noise varince of ct′ is bounded by

k2σpd+σks2.

Then by lemma 7 the noise vatince after ModSwitch is bounded by

q2Q2 (kσpd2+σks2)+σMS2.

We finally have the output ciphertext ct′ has noise variance

Var (e)q2Q2(kσpd2+σks2)+σMS2=q2Q2((2+kN/2+2n)(kd2N2VB2σe2+k2dhpN2Vhpσβ2)+kdNVksσα2)+σMS2

Multi-key FHE Scheme

[0139]In this section, we explicitly describe an MKHE scheme based on all building blocks.

[0140]
MKHE.Setup (1λ):
    • [0141]Run LWE.Setup (180 ) to generate the parameter ppLWE=(n, χ, σα, B, d, q).
    • [0142]Run RLWE.Setup (1λ) to generate the parameter ppRLWE=(N, χ, σβ, B, d, a, Q).
    • [0143]Run NTRU.Setup (1λ) to generate the parameter ppNTRU=(N, χ, σe, B, d, Q).
    • [0144]Return the generated public parameters ppMKHE=(ppLWE, ppRLWE, ppNTRU).
[0145]
MKHE.KeyGen( ): Each party i independently generates its keys as follows.
    • [0146]Sample an LWE secret key
si=(si,0, ,si,n-1) Zqn
    • [0147]Sample a RLWE secret key zi ∈ RQ, a noise vector

ei𝒳σβd

and compute

bi=-a·zi+eiRQd.
    • [0148]Generate the product key for NTRU product MK-RLWE: hpki←HPKGen(zii),NKSKi←NKSKGen(ƒi,B).
    • [0149]Generate the evaluation key for Single-key blind rotation EVKi←BRKGen(sii).
    • [0150]Let zi*=(zi,0,−zi,N−1, . . . ,−zi,1) ∈ custom-characterN for zi=zi,0+zi,1X+. . . +ziN−1XN−1.
[0151]
Generate the MK-LWE keyswitch key lkski←LKSKGen(zi*,si).
    • [0152]Publish(bi, hpki, NKSKi, EVKi, lkski).

[0153]MKHE.Enc(si,m): Given a plaintext m ∈ 0,1,party i sample

aiqn,e𝒳σα

and output a LWE ciphertext

ci=(-ai,si+q4 m+e,ai) q× qn.

[0154]MKHE.Expand({cj}j∈[k]): Given

cj=(bj,aj) qn+1

1≤j≤k, return the MK-LWE ciphertext

ct_=( j=1k bj,a1, ,ak) qkn+1.

[0155]MKHE.Dec (ct, {sj}j∈[k]): Given a MK-LWE ciphertext

ct_=( j=1k bj,a1, ,ak) qkn+1

and secret key s=(s1, . . . sk), compute

m=2q(ct_,(1,s¯)){0,1}.

[0156]MKHE.NAND(ct1, ct2): Given two MK-LWE ciphertexts

ct_1qkn+1 and ct_2qkn+1,

evaluate the NAND gate and refresh the result ciphertext through multi-key bootstapping:
    • [0157]1. Compute
ct_=(5q8,0, ,0)-ct_1-ct_2\qkn+1.
    • [0158]2. Run Multi-key bootstrapping Algorithm 3 to get the refreshed ciphertext ct′,return ct′.

[0159]According to another aspect of the present disclosure, as shown in FIG. 4, a computing system 100 is provided. According to some embodiments of the present disclosure, the computing system 100 comprises a central node 110, a network 120, and a plurality of participant nodes 130, 140 implemented on hardware such as cloud servers and edge devices. The central node 110, typically a cloud server (e.g., AWS EC2 instance with 16 GB RAM, 8-core Intel Xeon CPU, and 100 GB SSD storage), produces and disseminates the unified parameter set ppLWE=(n, χ, σα, B,d, q), ppRLWE=(N, χ, σβ, B,d, a, Q), ppNTRU=(N, χ, σe, B,d, Q) including the noise distribution χand gadget base B. The parameters are transmitted over a secure network (e.g., VPN with AES-256 encryption) to participant nodes 130, 140.

[0160]Each participant node, implemented on an edge device (e.g., Raspberry Pi 4 with 4 GB RAM, quad-core ARM Cortex-A72 processor, and 32 GB SD card storage), is configured to:

[0161]Generate Cryptographic Keys: Produce a secret key pair (si,zi), a hybrid product key hpki, and evaluation keys, stored in a memory (e.g. 256 MB of encrypted RAM).

[0162]Encrypt Plaintext: Convert plaintext bits into LWE ciphertext

ci=(-ai,si+q4m+e,ai) q×qn,

using a cyptographic co-processor for modular arithmetic.

[0163]Aggregate Ciphertexts: Contribute to forming the composite ciphertext ct, coordinated via the central node's API.

[0164]
Perform Homomorphic Evaluation: Execute the noise-refreshing procedure which includes:
    • [0165]Fourier Transform-Based Rotation: Apply blind rotation in the Fourier domain, using a GPU (e.g., NVIDIA Jetson Nano) to achieve O(n log n) complexity for polynomial degree n.
    • [0166]Tensor Product-Based Multiplication: Perform tensor product-based multiplication with gadget decomposition and vector assembly to bound error growth. Construct a gadget vector v=(v0, v1, ···, vd−1) via linear combinations of decomposed NTRU ciphertext components, computed on a CPU with, for example, 2 MB cache. The tensor products are assembled into an updated RLWE ciphertext, ensuring noise variance

σhp2kdhpN2Vhpσβ2.

[0167]The system's parallel execution across participant nodes, supported by multi-core processors and distributed computing frameworks (e.g., Apache Spark), achieves quasi-linear complexity, enabling scalability for large k.

Hardware Implementation

[0168]
According to one embodiment of the present disclosure, The MK-FHE method and system are implemented on a distributed computing environment with the following hardware specifications:
    • [0169]Central Node: A cloud server with a 64-bit multi-core CPU (e.g., AMD EPYC with 16 cores), 32 GB DDR4 RAM, 500 GB NVMe SSD storage, and a 10 Gbps network interface for parameter distribution and coordination. The server runs a Linux-based OS (e.g., Ubuntu 22.04) with cryptographic libraries (e.g., OpenFHE, SEAL) for parameter generation and communication.
    • [0170]Participant Nodes: Edge devices or laptops with quad-core 64-bit processors (e.g., Intel Core i5 or ARM Cortex-A72), 4-8 GB RAM, 32-64 GB flash storage, and a cryptographic co-processor (e.g., TPM or AES-NI support). These devices support FFT computations via GPU accelerators (e.g., NVIDIA CUDA cores) and store keys and ciphertexts in encrypted memory partitions.
    • [0171]Network Infrastructure: A secure network with TLS 1.3 encryption, 1 Gbps bandwidth, and low-latency connections (e.g., <50 ms) to ensure efficient key and ciphertext exchange.
    • [0172]Storage Requirements: Approximately 1 MB per LWE ciphertext, 2-4 MB per RLWE/NTRU ciphertext, and 10 MB for key storage per node, enabling deployment on resource-constrained devices like IoT gateways.
    • [0173]Power Consumption: Participant nodes operate within a 5-10 W power envelope, suitable for battery-powered edge devices, while the central node consumes 100-200 W, typical for cloud servers.

[0174]This hardware configuration supports the method's efficiency, with blind rotation greatly reducing computation time compared to polynomial arithmetic, and NTRU's compact structures reducing memory usage compared to TFHE-based schemes. The system's design enables deployment in resource-constrained environments, such as edge computing networks for IoT or mobile devices.

[0175]The descriptions, examples, methods and materials presented in the claims and the specification are not to be construed as limiting but rather as illustrative only.

[0176]Meanings of technical and scientific terms used herein are to be commonly understood as by one of ordinary skill in the art to which the disclosure belongs, unless otherwise defined. The present disclosure may be implemented in the testing or practice with methods and materials equivalent or similar to those described herein.

[0177]While the disclosure has been described with respect to a limited number of embodiments, these should not be construed as limitations on the scope of the disclosure, but rather as exemplifications of some of the preferred embodiments. Other possible variations, modifications, and applications are also within the scope of the disclosure. Accordingly, the scope of the disclosure should not be limited by what has thus far been described, but by the appended claims and their legal equivalents.

Claims

What is claimed is,:

1. A computer-implemented method for multi-key fully homomorphic encryption, comprising:

generating a unified set of public parameters defining operational moduli and dimensions for learning with errors (LWE), ring learning with errors (RLWE), and NTRU-based encryption schemes;

producing, for each participant in a plurality of participants, independent cryptographic keys comprising a secret key pair for encryption and decryption operations, and a hybrid product key enabling merging of ciphertexts across LWE and RLWE structures;

transforming plaintext data into an initial encrypted form under a participant's secret key, yielding a participant-specific ciphertext compatible with LWE structures;

aggregating participant-specific ciphertexts from the plurality of participants to form a composite ciphertext operable under multiple keys;

conducting homomorphic evaluation of a logical operation on at least two composite ciphertexts, incorporating a noise-refreshing procedure that: integrates single-element LWE-based encrypted structures with multi-element RLWE-based encrypted structures through a gadget decomposition and tensor product-based multiplication process to generate an updated composite ciphertext; and

recovering the evaluated plaintext from the updated composite ciphertext by collaboratively applying the secret keys of all relevant participants.

2. The method of claim 1, wherein the step of generating a unified set of public parameters defining operational moduli and dimensions for LWE, RLWE, and NTRU comprises specifying an integer modulus q for LWE operations and a polynomial ring modulus Q for RLWE and NTRU operations; specifying a vector dimension n for LWE secrets and a polynomial ring dimension N for RLWE/NTRU secrets; and specifying noise distributions, gadget decomposition bases, and error bounds for all three encryption schemes.

3. The method of claim 1, wherein the secret key pair comprises an LWE secret vector

si qn

and an RLWE secret key zi ∈ RQ; the hybrid product key is generated by sampling random elements ri←χσβ and noise vector

ei,0𝒳σβdhp,

computing

di,0=ri·a+fi·𝔤+ei,0 RQdhp,

computing

di,2=-zi·di,1+ri·𝔤+ei,1 RQdhp,

and outputting a product key pair (di,1, di,2), a ciphertext merging key set is NKSK={nkski}2≤i≤d−1, where

nkski=NTRUf,Q(Bi).

4. The method of claim 1, wherein the step of transforming plaintext data into an initial encrypted form under a participant's secret key comprises sampling a random vector

aiZqn

and noise term e←χσ computing a ciphertext component

b=-ai,si+q4m+e,

outputung the ciphertext as a pair

(b,ai)q×qn,

wherein si is the participant's LWE secret key.

5. The method of claim 1, wherein aggregating participant-specific ciphertexts from a plurality of participants by: receiving single-party LWE ciphertexts

cj=(bj,aj) qn+1

for 1≤j≤k, where each cj is encrypted under a distint participant's secret key; computing a joint offset term

bsum=j=1kbj q,

concatenating ciphertext vectors to form

ajoint=(a1, ,ak) qkn;

outputting a composite ciphertext

ct¯=(bsum,ajoint) qkn+1;

wherein the composite ciphertext is operable under a combination of all participants' secret keys for homomorphic evaluation or decryption.

6. The method of claim 1, wherein the noise-refreshing procedure during homomorphic evaluation comprises: computing decomposed components for each index j from 0 to d−1:vj=c⊙nkskj, constructing a gadget vector v=(v0, v1, ···, vd−1), computing

cj=𝔤-1(cj)·v mod Q

and forming intermediate ciphertexts ĉ=(c′0, c′1, . . . , c′k), applying HybridProduct to ĉ using public keys {bj}j∈[k].

7. The method of claim 1, wherein recovering the evaluated plaintext comprises:

computing an inner product between the updated composite ciphertext

ct_=( j=1kbj,a1, ,ak)qkn+1

and the aggregated secret key vector (1,s), where s=(s1, . . . sk) is the concatenation of all participants' secret keys, scaling and discretizing the result to recover a plaintext bit

m=2q(ct_,(1,s_)){0,1}.

8. The method of claim 1, wherein the noise-refreshing procedure comprises:

9. The method of claim 8, wherein the blind rotation algorithm BREval comprises:

scaling coefficients

ai=2Nqai,

initializing ACC=Xα0⊙evk0, iteratively updating

ACC[g+(Xai-1)·evki]

for 1≤i≤n−1.

10. The method of claim 8, wherein the noise-refreshing procedure executes in quasi-linear time relative to the number of parties k.

11. The method of claim 8, wherein the noise-refreshing procedure further comprises a ModSwitch operation comprising: receiving a multi-key LWE ciphertext

c=(c0, ,ckn)Qkn+1,

c=([ci]q:Q)0iknqkn+1.

12. The method of claim 8, wherein the noise-refreshing procedure further comprises a KeySwitch operation comprising: receiving a multi-key LWE ciphertext

ct_=(b,a1, ,ak)qkn+𝟙,

for each paritipant j, 1≤j≤k, computing

(bj,aj)= i=0N-1𝔤-1(ai,j)·lsksj,

then outputting a transformed ciphertext

ct_=(b+ i=1kbi,a1, ,ak).

13. A computing system configured for multi-key fully homomorphic encryption, comprising:

a central node configured to produce and disseminate a unified set of public parameters for LWE, RLWE, and NTRU-based encryption schemes; and

a plurality of participant nodes, each configured to: generate cryptographic keys including a secret key pair and a hybrid product key for ciphertext merging; convert plaintext data into a participant-specific ciphertext; contribute to aggregating participant-specific ciphertexts into a composite ciphertext; participate in homomorphic evaluation via a noise-refreshing procedure that integrates LWE and RLWE structures through gadget decomposition and tensor product-based multiplication; wherein the noise-refreshing procedure applies a Fourier transform-based rotation operation in a frequency domain.

14. The system of claim 13, wherein each participant node executes the noise-refreshing procedure by: performing tensor product-based multiplication with decomposition and vector assembly to bound error growth.

15. The system of claim 13, wherein the central node distributes parameters defining a noise distribution χ and gadget base B.

16. The system of claim 13, wherein each participant node performs the tensor product-based multiplication by constructing a vector v=(v0, . . . , v_ {d−1}) via linear combinations of decomposed ciphertext components.

17. A non-transitory computer-readable storage medium storing instructions that, when executed by one or more processors, cause the processors to perform the method of claim 1.